SEC573: Automating Information Security with Python Waitlist

Thu, December 14 - Tue, December 19, 2017

SEC573 has significantly helped with my foundational knowledge of Python, while exposing me to more advanced applications of it.

Chris Miller, Global Payments

SEC573 is vital for anyone who considers themselves to be a penetration tester.

Jeff Turner , Lexis Nexis Risk Solutions

All security professionals, including Penetration Testers, Forensics Analysts, Network Defenders, Security Administrators, and Incident Responders, have one thing in common. CHANGE. Change is constant. Technology, threats, and tools are constantly evolving. If we don't evolve with them, we'll become ineffective and irrelevant, unable to provide the vital defenses our organizations increasingly require.

Maybe your chosen Operating Systems has a new feature that creates interesting forensics artifacts that would be invaluable for your investigation, if only you had a tool to access it. Often for new features and forensics artifacts, no such tool has yet been released. You could try moving your case forward without that evidence or hope that someone creates a tool before the case goes cold...or you can write a tool yourself.

Or, perhaps an attacker bypassed your defenses and owned your network months ago. If existing tools were able to find the attack, you wouldn't be in this situation. You are bleeding sensitive data and the time-consuming manual process of finding and eradicating the attacker is costing you money and hurting your organization big time. The answer is simple if you have the skills: Write a tool to automate your defenses.

Or, as a Penetration tester, you need to evolve as quickly as the threats you are paid to emulate. What do you do when "off-the-shelf" tools and exploits fall short? If you're good, you write your own tool.

Writing a tool is easier said than done, right? Not really. Python is a simple, user-friendly language that is designed to make automating tasks that security professionals perform quick and easy. Whether you are new to coding or have been coding for years, SANS SEC573 Automating Information Security with Python will have you creating programs to make your job easier and make you more efficient. This self-paced class starts from the very beginning assuming you have no prior experience or knowledge of programming. We cover all of the essentials of the language up front. If you already know the essentials, you will find that the pyWars lab environment allows advanced developers to quickly accelerate to more advanced material in the class. The self-paced style of the class will meet you where you are to let you get the most out of the class you can. Beyond the essentials we discuss file analysis, packet analysis, forensics artifact carving, networking, database access, website access, process execution, exception handling, object oriented coding and more.

This course is designed to give you the skills you need for tweaking, customizing, or outright developing your own tools. We put you on the path of creating your own tools, empowering you in automating the daily routine of today's information security professional, achieving more value in less time. Again and again, organizations serious about security emphasize their need for skilled tool builders. There is a huge demand for people who can understand a problem and then rapidly develop prototype code to attack or defend against it. Join us and learn Python in-depth and fully weaponized.

You Will Learn:

How to leverage Python Scripting to maximize the effectiveness of your penetration tests.

How to use TCP Sockets to build network applications.

How to develop Web Application attack tools.

How to parse TCP Packets and PCAP data to extract valuable data.

How to use advanced application concepts, such as threading and message queueing.

Course Syllabus

SEC573.1: Essentials Workshop with pyWars

Overview

The course begins with a brief introduction to Python and the pyWars capture the flag game. We set the stage for students to learn at their own pace in the 100% hands-on pyWars lab environment. As more advanced students take on Python-based Capture The Flag challenges, students who are new to programming will start from the very beginning with Python essentials, including:

SEC573.2: Essentials Workshop with MORE pyWars

Overview

You will never learn to program by staring at PowerPoint slides. The second day continues the hands-on, lab-centric approach established on day one. This section covers data structures and more detailed programming concepts. Next, we focus on invaluable tips and trick to make you a better Python programmer and how to debug your code. Day two includes topics such as:

SEC573.3: Defensive Python

Day 3-5 Automating Information Security: The next three days are focused on expanding your Python skills, leveraging modules and performing important operations used by all information security professionals. You will learn about file operations, log analysis, database operations, low-level network operations such as Raw sockets and packet parsing, high-level network operations such as HTTP and authentication, object oriented coding, regular expressions, subprocess execution and automation and much more. We demonstrate that these skills are common to every security profession and useful to everyone regardless of your discipline by giving each of the three days their own theme.

Overview

Day three includes in-depth coverage about how defenders can use Python automation as we cover Python modules and techniques that everyone can use. Forensicators and offensive security professionals will also learn essential skills they will apply to their craft. We will play the role of a network defender who needs to find the attackers on their network. We will discuss how to analyses network logs and packets to discover where the attackers are coming from and what they are doing. We will build scripts to empower continuous monitoring and disrupt the attackers before they exfiltration your data. Day 3 topics include:

SEC573.4: Forensics Python

Overview

On day four we will play the role of a forensics analyst who has to carve evidence from artifacts when no tool exists to do so. Even if you don't do forensics you will find these skills covered on day four are foundational to every security role. We will discuss the process required to carve binary images, find appropriate data of interest in them, and extract that data. Once you have the artifact isolated, there is more analysis to be done. You will learn how to extract metadata from image files. Then we will discuss techniques for finding artifacts in other locations such as SQL databases and interacting with web pages. Day 4 subjects include:

SEC573.5: Offensive Python

Overview

On day five we play the role of penetration tester whose normal tricks have failed. Their attempts to establish a foothold have been stopped by modern defenses. To bypass these defenses, you will build an agent to give you access to a remote system. Similar agents can be used for Incident response or systems administration, but our focus will be on offensive operations.Today's subjects include:

SEC573.6: Capture the Flag

Overview

In this final section you will be placed on a team with other students. Working as a team, you will apply the skills you have mastered in a series of programming challenges. Participants will exercise the skills and code they have developed over the previous five days as they exploit vulnerable systems, break encryption cyphers, analyze packets, parse logs, and automate code execution on remote systems. Test your skills! Prove your might!

CPE/CMU Credits: 6

Additional Information

Laptop Required

Students are required to bring their own laptop so that they can connect directly to the workshop network we will create, and thus get the most value out of the course. It is the students' responsibility to make sure that the system is properly configured with all drivers necessary to connect to an Ethernet network.

Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion, along with a Windows guest virtual machine. All of the VMWare products are available at www.vmware.com.

Windows

You are required to bring Windows 10 (Professional), Windows 8.1 (Professional), Windows 8 (Professional), Windows 7 (Professional, Enterprise, or Ultimate) or Windows Vista (Business, Enterprise, or Ultimate) either on a real system or a virtual machine. You will need administrative access to your Windows computer and the ability to install various software packages, including Python, on that computer.

IMPORTANT NOTE: You may also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that Administrator password for your anti-virus tool.

The course includes a VMware image file of a guest Linux system that is larger than 15 GB. Therefore, you need a file system with the ability to read and write files that are larger than 15 GB, such as NTFS on a Windows machine.

Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation here. VMware will send you a time- limited license number for VMware Workstation if you register for the trial on its website. No license number is required for VMware Player.

Linux

You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware Workstation or VMware Player. The class does not support VirtualPC or other non-VMware virtualization products.

Mandatory Laptop Hardware Requirements

x86- or x64-compatible 2.0 GHz CPU minimum or higher.

An available USB port.

4 GB or higher recommended.

Ethernet adapter: A wired connection is required in class. If your laptop supports only wireless, please make sure to bring a USB Ethernet adapter with you.

15 GB available hard drive space.

During the workshop, you will be connecting to one of the most hostile networks on planet earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it in the workshop.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn - and have a lot of fun doing it!

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Who Should Attend

Security professionals who benefit from automating routine tasks so they can focus on what's most important

Forensics Analysts who can no longer wait on someone else to develop a commercial tool to analyze artifacts

Network Defenders who sift through mountains of logs and packets to find evildoers in their networks

Penetration testers who are ready to advance from script kiddie to professional offensive computer operations operator

Other Courses People Have Taken

Other Courses People Have Taken

What You Will Receive

A virtual machine with sample code and working examples.

A copy of Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers, T.J. O'Connor's critically-praised book that shows readers how to forge their own weapons using the Python programming language.

MP3 audio files of the complete course lecture.

This Course Will Prepare You To

Develop forensics tool to carve artifacts from forensics evidence for which no other tool exists or use third party modules for well-known artifacts to hidden evidence relevant to your investigations.

Create defensive tools to automate the analysis of log file and network packets using hunt team techniques to track down attackers in your network. Implement custom whitelisting, blacklisting, signature detection, long tail and short tail analysis, and other data analysis techniques to find attacks overlooked by conventional methods.

Write penetration testing tools including a several backdoors with features like process execution, upload and download payloads, port scanning and more. Build essential tools that evade antivirus software and allow you to establish that required foothold inside your target.

Press & Reviews

"SEC573 is vital for anyone who considers themselves to be a pen tester." - Jeff Turner, Lexis Nexis Risk Solutions

"So far the content of Python for Penetration Testers has been great. I have learned several things, even as an advanced user." - Matthew Garfinkle, ManTech International Corporation

Author Statement

Good scripting skills are essential to professionals in all aspects of information security. Understanding how to develop your own applications means you can automate tasks and do more, with fewer resources, in less time. As penetration testers, knowing how to use canned information security tools is a basic skill that you must have. But knowing how to build your own tools when the tools someone else wrote fail is what separates the great penetration testers from the good ones. This course is designed for security professionals who want to learn how to apply basic coding skills to do their job more efficiently. The course will help take your career to the next level by teaching you the essential skills needed to develop applications that interact with networks, websites, databases, and file systems. We will cover these essential skills as we build practical applications that you can immediately put into use in your penetration tests.